keycloak - 应用程序无法连接到 Keycloak 策略执行器
问题描述
我有一个 Quarkus Rest api(机密客户端)应用程序,其路由由 keycloak 授权。keycloak 和 Quarkus 应用程序都位于 nginx 代理后面。
我有一个问题,即 quarkus 应用程序在应用策略执行器时无法连接到 Keycloak。
应用程序属性
quarkus.http.port=8085
# OIDC Configuration
quarkus.oidc.auth-server-url=http://my-keycloak:8080/auth/realms/proxy-apis
quarkus.oidc.client-id=my-api
quarkus.oidc.credentials.secret=secret
quarkus.oidc.tls.verification=none
# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true
我认为 api 应用程序内部无法连接到 keycloak 服务器。我认为这是因为.well-known/openid-configuration网址是基于代理网址的。如果是这种情况,我该如何更改该 URL。
我在这里创建了一个示例应用程序
请帮我解决问题。
openid 配置
"issuer": "http://localhost/auth/realms/proxy-apis",
"authorization_endpoint": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/auth",
"token_endpoint": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/logout",
"jwks_uri": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost/auth/realms/proxy-apis/protocol/openid-connect/login-status-iframe.html",
nginx.conf
events {
}
http {
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
server {
listen 80;
proxy_set_header X-Forwarded-For $proxy_protocol_addr; # To forward the original client's IP address
proxy_set_header X-Forwarded-Proto $scheme; # to forward the original protocol (HTTP or HTTPS)
proxy_set_header Host $host; # to forward the original host requested by the client
location /api {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_pass http://my-api:8085/;
}
location /auth {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://my-keycloak:8080;
proxy_http_version 1.1;
proxy_set_header X-Script-Name /auth;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
}
码头工人-compose.yml
version: '3.3'
services:
lb:
image: nginx:1.21.0
container_name: lb
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
depends_on:
- my-api
networks:
- my-net
ports:
- 80:80
my-api:
image: maven
volumes:
- "../keycloak-proxy/:/app"
- "~/.m2:/root/.m2"
# ports:
# - "8085:8085"
working_dir: /app
command: "mvn compile -Dquarkus.http.host=0.0.0.0 quarkus:dev"
container_name: my-api
networks:
- my-net
depends_on:
- my-keycloak
my-keycloak:
image: jboss/keycloak:12.0.4
container_name: my-keycloak
volumes:
- ./realm-export.json:/home/realm-export.json
environment:
KEYCLOAK_FRONTEND_URL: 'http://localhost/auth/'
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
KEYCLOAK_IMPORT: /home/realm-export.json
command: [
-Dkeycloak.profile.feature.upload_scripts=enabled
]
networks:
- my-net
networks:
my-net:
driver: bridge
解决方案
推荐阅读
- node.js - JavaScript xml2js 从 xml 文档中的每个对象读取数组
- pandas - 新列中的 Pandas groupby 和 agg 值
- html - 如何在 CSS 中使一行图像居中、左对齐或右对齐
- python - 将python中由换行符分隔的字符串文件解析为json数组
- c# - 在与另一个列表进行迭代时从列表中获取下一个项目
- python - 为什么python2中'1' == u'1'的结果是True?
- spring - 带有 Spring 4 的 Azure AD B2C
- javascript - 如何在网络浏览器上与我的智能合约进行交互
- python-3.x - 在 Unet 中获取超过 3 个类的输出的问题
- javascript - 使用 Javascipt 关闭 Chrome 打印预览对话框